6 minute read
Back to basics
by Stuart Corner
Why can’t we get this stuff right?
A LITANY OF CYBERSECURITY FAILURES
The title of Jess Dodson’s presentation at AusCERT2021, held in the Star Hotel on Queensland’s Gold Coast and online, was framed as a question: “Back to Basics - why can’t we get this stuff right?”
She didn’t answer it. What she did was deliver an impassioned speech detailing the multiple failures in basic security practice and policy — yes even keeping username and password as ‘admin’ and ‘admin’ (more of that later) — she has seen time and time again in her 15 years as a Windows system administrator.
“I’m pretty miffed about some of the stuff I keep seeing when I’m going into organisations and businesses and companies,” Dodson said. “I feel like a lot of this is very much common sense. But if it is common sense, and why isn’t it being done.” Good question.
Suspecting that many in her audience were likely guilty of the sins she was about to reveal, she warned them: “There are going to be things in here that will make you squirm. And I’m very sorry about that. But that is my intention. Think of this more as teaching you to reaffirm those beliefs that you have about the things that you should be doing properly in your organisation.” Dodson then presented a comprehensive list of failures in security practice and policy, broken down according to the categories in the NIST Cybersecurity Framework: identify, protect, detect, respond, recover. A summary of the basic security measures she described can be found on her blog.
Here’s some of what she had to say.
IDENTIFY
You can’t protect what you don’t know you have. “I am yet to go into an organisation that has an asset system and an audit system that is up to date, and they know all of their inventory. Without having that inventory, without knowing what you’ve got, it’s incredibly difficult for you to protect your systems.”
Beware the single source of truth. “One person who knows everything and is the single point and source of truth for everything is not a good place to be. … But on the flip side, if everyone is responsible, then no one is responsible. So you need to make sure that your business owners and your system owners are actually owning their own risk and owning the risk of their systems.”
Have a risk register. “Business owners will take risks and they will accept those risks until things go wrong.
Back to Basics by Jess Dodson
So make sure that you have written down the risks to those systems. You need to understand why those risks are in place. A risk register is your friend. You then have evidence as to ‘this is the risk’, and ‘this is who I told’, and they’re the ones who said, ‘absolutely go ahead’.”
PROTECT
Avoid default and non-expiring passwords. “Stop setting ‘’password does not expire on your C level accounts. I don’t want to see CIOs and CEOs and CISOs with ‘password never expires’. They are in my eyes VIP sensitive users. They should have just as much restriction on their accounts as administrative accounts have.”
Avoid simple passwords. “I really didn’t think this needed to be said, but it is public knowledge. Back in 2018, an Australian government agency had a penetration test done. They were popped within 10 minutes, because all of their appliances had the default username and password of admin and admin set.” Allow password managers. “Please don’t block the use of password managers. The number of organisations that I see who block these. All you’re doing is forcing users to create insecure passwords.”
Enforce role-based access permissions. “Make sure that you are fine-tuning access rights based on what your users need. Have identity audits performed. Make sure that you are doing some form of privileged access management, so you can go through and make sure that when a user changes roles you review all of their permissions.”
DETECT
Look to your logs. “Please make sure that you are grabbing all the right logs. You don’t know what you can’t see. So you can’t track it back if you don’t have access to it. … Make sure you are putting them somewhere that you can look at them, and you can understand what’s going on in your systems.”
Beware of insider threats. “You need to have monitoring over your SIEM and SOAR tools. You
need to make sure that any changes being made in those systems are logged so that you can actually determine what has happened. We do have very smart attackers that will know the easiest way to avoid detection is to disrupt your security systems. So make sure you are monitoring them in a way that you can actually see when they are tampered with.”
Fine tune your monitoring systems. “This is one of my big bugbears. There is no use alerting for everything. You will drown in noise. You will not see anything of value if you are not actually tuning your systems. You need to make sure that what is being sent and what is being seen is legitimate, is actionable, is something that’s actually important, and that you’re seeing as few false and benign positives as possible. And you understand the difference between a false and a benign positive.”
RESPOND & RECOVER
Backup basics. “You need to test your backups. Your backup is useless unless we can successfully restore it. So please make sure that you’re testing your restores. We are seeing ransomware and crypto still out there. So we need to make sure that we are checking our backups.”
You need a plan. “Have a plan, any kind of plan. And just like backups, please test that plan. You need to make sure that you understand who you need to speak to, what systems are critical, remembering you identified everything. You have an asset system that’s up to date, and make sure that you’re following that plan and also make improvements and updates to that plan as needed and necessary. Because a plan that was functional five years ago is likely not going to be functional now. For starters, there’s a good chance most of the people that you need to contact may not still be there. Perform tabletop exercises.”
AND WHEN THINGS FALL APART…
“It is okay to screw up. Everyone does. It is inevitable. You will screw up at some point. So own your own mistakes. Don’t hide them. Don’t minimise them. Own up to them. Help fix them. It’s going to make you more trustworthy, and prove that you are part of a team more than if you were to try and hide it.
“The big one for that though is organisations that play the blame game. So you want to make sure that managers aren’t playing the blame game when things go wrong. You need to foster a level of accountability in your staff so they know they are not going to have their head roll if something goes wrong.”
